Chip-and-PIN is broken

Noted security researcher Ross Anderson and colleagues have published a paper showing how "Chip-and-PIN" (the European system for verifying credit- and debit-card transactions) has been thoroughly broken and cannot be considered secure any longer. I remember hearing rumbles that this attack was possible even as Chip-and-PIN was being rolled out across Europe, but that didn't stop the banks from pushing ahead with it, spending a fortune in the process.

The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it's doing a chip-and-signature transaction while the terminal thinks it's chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists' cards. The transactions went through fine and the receipts say "Verified by PIN".

It's no surprise to us or bankers that this attack works offline (when the merchant cannot contact the bank) -- in fact Steven blogged about it here last August.

But the real shocker is that it works online too: even when the bank authorisation system has all the transaction data sent back to it for verification. The reason why it works can be quite subtle and convoluted: bank authorisation systems are complex beasts, including cryptographic checks, account checks, database checks, and interfaces with fraud detection systems which might apply a points-scoring system to the output of all the above. In theory all the data you need to spot the wedge attack will be present, but in practice? And most of all, how can you spot it if you're not even looking? The banks didn't even realise they needed to check.

Not only is chip and pin broken but also CAP is useless. CAP which is used to secure online banking access is based on EMV chip and pin. A stolen card can be used to transfer money between accounts online without the need of the pin.

When you card is stolen, and you phone your bank to report it, they will automatically block all future transactions right? So this only works before you report it?

They would block all transactions if there is a direct link between the terminal and the transaction processor, but there are still many retailers with an ‘off-line’ terminal.
Now, the trick is, to not be greedy, because if you use the card for a large purchase, the retailer is required to ask for authentication by phone.
But if you keep the amounts low enough, and you know which places to go to, you can, in principle, use that card untill the date expires.
And this happens a lot.
And the only thing transaction processors can do is write it off as a loss.

An Off-line terminal? I have never seen one of those, and sounds pretty unsecure, what if the account doesn’t have enough funds?
In Spain, to stop credit card frauds created a law in witch you must show your ID with your credit or debit card at any purchase.

Do teller actually check your ID? Legally, in the US, they’re supposed to compare signatures–but less than 1-in-10 clerks actually glances at the back of my card. I know this because I write “CHECK PHOTO ID” next to the signature.

A law that says the clerks must check photo ID doesn’t fix this problem. The banks need to be held responsible for their bad design. When they’re liable, it will be fixed.

The cynic would note, of course, that the real purpose of this “security” system is to allocate liability. If the system is believed to be secure, the bank can argue that the customer must have negligently caused the compromise and refuse to eat the loss. The same phenomenon shows up occasionally in car security systems or the “verified by visa” system used for some online credit transactions in the US.

Hopefully the authoritiative demonstration that the system is not, in fact, secure will derail this attempt until the next “secure” system is developed.

Whether you’re responsible for fraudulent use or not, a credit card is likely to give you better results in practice. 1) Because no money is taken out of your account in the meantime when you’re trying to get fraudulent activity fixed (which can matter if you have other bills to pay), and 2) because the credit card company doesn’t get paid until you say so, while a bank gets its money immediately upon the debit purchase posting.

A debit card has a limit, either by service or at least by your account balance, as opposed to a credit card which often has a limit much higher than your balance use to be. I keep only as much as I need for the moment on my account that my Visa is connected to, and the rest is transferred to another account used to pay my bills online, and get some interest. That is my personal safety line. So if someone tries to buy a computer with my card they will get “purchase denied” (they won’t ever see my balance), but with a credit card they would have bought it in my name and I’d have to fight the bill later. Every fraud is a hassle but I still think debit cards are safer, and they won’t put you in debt.

Sometimes the easiest way to break a security system is to force it to fall back on less secure alternatives.

The banks in my area started rolling out chip-and-PIN debit and credits cards within the last year. Since then, there have been several times when the terminal was unable to properly utilize the chip on my card — mainly because the contacts on the machine were worn out. When this happened, the retailer was able to do an old fashioned swipe-the-stripe transaction instead of using the chip. And many terminals still don’t support the chip at all.

So, rather than having to reproduce a card with a working chip, you need to reproduce a card that appears to have a working chip, but doesn’t. When you try to use it, the chip fails, you put on a bit of a show, and the retailer will fall back on using the mag stripe. Chip avoided.

For an unscrupulous retailer, the problem is even easier. All they have to do is claim their terminal can’t use the chip and use the stripe instead. They record the stripe and PIN the same way they always have, and they can produce the card (without a chip) as described above.

If a security protocol involves an option, the attacker will always take the weakest option.

While on subject, and signed signature validation has been mentioned, I have to link the classic credit card prank (a.k.a. “How crazy would I have to make my signature before someone would actually notice?”) for those who are new to the internet.

There isn’t really much of a prank there. From the retailer side of things all that’s needed to get paid for a card present transaction is to get either a physical or electronic imprint, an authorization for the amount of the transaction from the bank, and a signature. There is no particular requirement to VERIFY the signature at all, there just has to be one. If a retailer an present these three things for a transaction, they get paid, regardless of whether or not it’s fraudulent.

That’s why nobody care if you sign your card, it’s only your security the lack of a signature threatens and the smart retailer doesn’t put itself in the position of unnecessarily policing their own customers. Forcing customers to sign their own cards for their own protection only threatens to alienate people with absolutely no benefit to the retailer.

No you are wrong. Maybe the staff doesn’t care, but the store owner really does.

“The liability for fraud lies on the merchant, not the credit card company. The merchant must pay the full cost of the fraud plus a chargeback fee (unless the merchant’s chargeback insurance covers it).”

“The merchant loses the goods or services sold, the payment, the fees for processing the payment, any currency conversion commissions, and the amount of the chargeback penalty. For obvious reasons, many merchants take steps to avoid chargebacksâ€”such as not accepting suspicious transactions.”

I do this for a living. The liability only lies on the merchant for a card present transaction if they cannot produce the imprint, the signed receipt, and an authorization for the charge. When the retailer can present these three things the bank eats the cost of fraud. That wiki is pretty crap.

Every source I’ve found tell the same thing as the wiki. Maybe this has something to do with national laws or local banks? Or if the card is present/absent (ecommerce)? Or rules that have changed recently?

There are different authorization procedures for different kinds of transactions. Virtually all of those sources seem to deal with online businesses, which I have not been talking about since it’s not really relevant to that “prank”. Nobody produces a signature for an internet sale. What I am telling you is what I know: brick and mortar retail business. And in the brick and mortar world when we get a chargeback we present those three items I listed and then we get paid. So sign whatever the hell you want on the back of your card or on the signature slip, I’m not policing your money for you.

phisrow has it absolutely right. Even at introduction it was pointed out that chip’n’pin wasn’t anywhere near foolproof, but the banks choose to assume it is, and so operate on a presumption (backed in the UK by our craven government) that the cardholder is liable.